How to install Snort - Part I

An IDS is a security tool, that allow us to monitor our network events searching attempts to compromise the security of our systems. It’s possible matching predefinied rules emulating the behaviour of an attack and it’s possible to deny the package or simply alert us to an email or sending messages to log. Basically we can find two types of IDS:

• HIDS: Host based IDS, monitors the activity of a single machine, searching anomaling behaviors.
• NID: Network IDS, capture and analyze network packages to search attack patterns.

Generally an IDS can be located in each network segment, for example front of the firewall or back of the firewall or also can be implemented in the same firewall if we have a small network traffic, with this way we can analyze all input and output traffic.

SNORT
Snort is a NIDS, implements real time scanning of attack detection and port scanning detecting. The basic architecture of snort:

• Packet capture module: Used to capture network traffic using libpcap library.
• Decoder: It ensures to form the data structures of the packages captured and identify the network protocol.
• Preprocessor: prepocessors are plugins developed generally in C and process the packets provided by the decoder and ensambles the packets received. This preprocessors are configured in snort.conf file configuration. Some preprocessor examples may be:
  – sfPortscan
  – Frag3
  – HTTP
  – SSH
  – To see a complete list visit: http://manual.snort.org/node17.html
•  Detection engine: Analyze the packets based in our rules configued.
•  Detection plugins: Used to modify the behaviour of the detection engine.
• Output plugins: Defines how and where saves the alters and the packages generated.

For this post I’ll explain how to install and configure snort from the source code in CentOS 6 and download free ruleset for snort and configure for be used.

Installing dependencies and preparing the environment
– Installing rpmforge repository:

# rpm -Uhv http://apt.sw.be/redhat/el6/en/i386/rpmforge/RPMS/rpmforge-release-0.5.2-2.el6.rf.i686.rpm

– Install prerequisites packages:

# yum -y install libdnet libdnet-devel libpcap libpcap-devel daq gcc make flex bison pcre pcre-devel zlib zlib-devel

– Downloading and installing daq:

# cd /tmp ; wget http://www.snort.org/downloads/1850 -O daq-1.1.1.tar.gz # tar -xzvf daq-1.1.1.tar.gz # cd daq-1.1.1/ # ./configure # make && make install # ldconfig -v

– Creating snort user and tree directories:

# groupadd snort # useradd -g snort snort # mkdir /usr/local/snort # mkdir /etc/snort # mkdir /var/log/snort # mkdir /var/run/snort # chown snort:snort /var/log/snort # chown snort:snort /var/run/snort

Installing Snort and configuring the ruleset
– Downloading and installing snort:

# cd /tmp ; wget http://www.snort.org/downloads/1862 -O snort-2.9.3.1.tar.gz # tar -xzvf snort-2.9.3.1.tar.gz # cd snort-2.9.3.1/ # ./configure --prefix /usr/local/snort --enable-sourcefire --enable-ipv6 # make && make install # ln -s /usr/local/snort/bin/snort /usr/bin/snort # cp /tmp/snort-2.9.3.1/etc/snort.conf /etc/snort/ # cp /tmp/snort-2.9.3.1/etc/unicode.map /etc/snort/ # cp /tmp/snort-2.9.3.1/etc/classification.config /etc/snort/ # cp -r /usr/local/snort/lib/snort_dynamicpreprocessor/ /usr/local/lib/ # cp -r /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/

– Downloading open source ruleset from emerging:

# cd /etc/snort ; wget http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz && wget http://rules.emergingthreats.net/open/snort-2.9.0/reference.config # tar -xzvf emerging.rules.tar.gz # touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules # chown -R snort:snort /etc/snort/

– Edit snort configuration:

# vi /etc/snort/snort.conf

ipvar HOME_NET 192.168.1.0/24 var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules include $RULE_PATH/emerging.conf

Configuring the init script for Snort
– Create sysconfig snort configuration:

# vi /etc/sysconfig/snort

#### General Configuration INTERFACE=eth0 CONF=/etc/snort/snort.conf USER=snort GROUP=snort PASS_FIRST=0 #### Logging & Alerting LOGDIR=/var/log/snort ALERTMODE=fast DUMP_APP=1 BINARY_LOG=1 NO_PACKET_LOG=0 PRINT_INTERFACE=0

– Adding the init script:

# vi /etc/init.d/snortd

#!/bin/bash # # snort Start up the Snort Intrusion Detection System daemon # # chkconfig: 2345 55 25 # description: Snort is a Open Source Intrusion Detection System # This service starts up the snort daemon. # # processname: snort # pidfile: /var/run/snort_eth0.pid ### BEGIN INIT INFO # Provides: snort # Required-Start: $local_fs $network $syslog # Required-Stop: $local_fs $syslog # Should-Start: $syslog # Should-Stop: $network $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start up the Snort Intrusion Detection System daemon # Description: Snort is an application for Open Source Intrusion Detection. # This service starts up the Snort IDS daemon. ### END INIT INFO # source function library . /etc/rc.d/init.d/functions # pull in sysconfig settings [ -f /etc/sysconfig/snort ] && . /etc/sysconfig/snort RETVAL=0 prog="snort" lockfile=/var/lock/subsys/$prog # Some functions to make the below more readable SNORTD=/usr/bin/snort #OPTIONS="-A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort" #PID_FILE=/var/run/snort_eth0.pid # Convert the /etc/sysconfig/snort settings to something snort can # use on the startup line. if [ "$ALERTMODE"X = "X" ]; then ALERTMODE="" else ALERTMODE="-A $ALERTMODE" fi if [ "$USER"X = "X" ]; then USER="snort" fi if [ "$GROUP"X = "X" ]; then GROUP="snort" fi if [ "$BINARY_LOG"X = "1X" ]; then BINARY_LOG="-b" else BINARY_LOG="" fi if [ "$LINK_LAYER"X = "1X" ]; then LINK_LAYER="-e" else LINK_LAYER="" fi if [ "$CONF"X = "X" ]; then CONF="-c /etc/snort/snort.conf" else CONF="-c $CONF" fi if [ "$INTERFACE"X = "X" ]; then INTERFACE="-i eth0" PID_FILE="/var/run/snort_eth0.pid" else PID_FILE="/var/run/snort_$INTERFACE.pid" INTERFACE="-i $INTERFACE" fi if [ "$DUMP_APP"X = "1X" ]; then DUMP_APP="-d" else DUMP_APP="" fi if [ "$NO_PACKET_LOG"X = "1X" ]; then NO_PACKET_LOG="-N" else NO_PACKET_LOG="" fi if [ "$PRINT_INTERFACE"X = "1X" ]; then PRINT_INTERFACE="-I" else PRINT_INTERFACE="" fi if [ "$PASS_FIRST"X = "1X" ]; then PASS_FIRST="-o" else PASS_FIRST="" fi if [ "$LOGDIR"X = "X" ]; then LOGDIR=/var/log/snort fi # These are used by the 'stats' option if [ "$SYSLOG"X = "X" ]; then SYSLOG=/var/log/messages fi if [ "$SECS"X = "X" ]; then SECS=5 fi if [ ! "$BPFFILE"X = "X" ]; then BPFFILE="-F $BPFFILE" fi runlevel=$(set -- $(runlevel); eval "echo $$#" ) start() { [ -x $SNORTD ] || exit 5 echo -n $"Starting $prog: " daemon --pidfile=$PID_FILE $SNORTD $ALERTMODE $BINARY_LOG $LINK_LAYER $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF && success || failure RETVAL=$? [ $RETVAL -eq 0 ] && touch $lockfile echo return $RETVAL } stop() { echo -n $"Stopping $prog: " killproc $SNORTD if [ -e $PID_FILE ]; then chown -R $USER:$GROUP /var/run/snort_eth0.* && rm -f /var/run/snort_eth0.pi* fi RETVAL=$? # if we are in halt or reboot runlevel kill all running sessions # so the TCP connections are closed cleanly if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then trap TERM killall $prog 2> /dev/null trap TERM fi [ $RETVAL -eq 0 ] && rm -f $lockfile echo return $RETVAL } restart() { stop start } rh_status() { status -p $PID_FILE $SNORTD } rh_status_q() { rh_status > /dev/null 2>&;1 } case "$1" in start) rh_status_q && exit 0 start ;; stop) if ! rh_status_q; then rm -f $lockfile exit 0 fi stop ;; restart) restart ;; status) rh_status RETVAL=$? if [ $RETVAL -eq 3 -a -f $lockfile ] ; then RETVAL=2 fi ;; *) echo $"Usage: $0 {start|stop|restart|status}" RETVAL=2 esac exit $RETVAL

– Start snort at system boot time:

# chmod +x /etc/init.d/snortd # chkconfig --levels 235 snortd on

– Starting snort:

# /etc/init.d/snortd start

Testing the basic functionality of port scanning detection with nmap

# tail -f /var/log/snort/alert